Who we are Our website address is: https://practice-supervisors.rip.org.uk. What personal data we collect and why we collect it Comments When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection. An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment. Media If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website. Contact forms Will we be using contact forms? Cookies If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year. If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser. When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed. If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day. More information on how we use cookies is available on our Cookies page. Embedded content from other websites Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website. These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website. Analytics Who we share your data with How long we retain your data If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue. For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information. What rights you have over your data If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes. Where we send your data Visitor comments may be checked through an automated spam detection service. Additional information How we protect your data We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so. What data breach procedures we have in place In the physical world Our paper records are minimal but can include printed contracts, printed event information and other small sources of data used in day-to-day office activity. Personal data held on paper is digitised and the paper is destroyed as soon as possible. We operate a clear desk policy, have a secure building, use a standard cross-shredder and use a regular secure document disposal service. Cloud servers We use standard cloud servers for our technology, which can be in data centres in other locations apart from the UK. This will involve transferring your data outside the European Economic Area (EEA). Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented: We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries. Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries. Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. For further details, see European Commission: EU-US Privacy Shield. Encryption All websites (including CRM) are hosted on industry standard secure servers where access to personal data is encrypted behind authentication. Passwords for accessing the encrypted data are themselves encrypted and stored in the Dartington Hall Trust network behind a full network permissions set up by Dartington Hall Trust ICT. User connection when accessing the website and CRM is encrypted through the appropriate use of certificates. Ensure ongoing confidentiality, integrity, availability and resilience All websites (including CRM) are backed up daily on a four-week rolling cycle. This permits availability to restore with minimal risk of data loss. Data is stored in industry standard databases with root admin security and are spread across multiple data centres in the EU and UK for full redundancy. Restore in a timely manner after an incident We have a procedure in place allowing for disaster recovery which includes ‘Major Critical Incident’ which permits continuity of the business with minimal data loss risk. Testing the effectiveness of the security Our web applications are occasionally subject to Penetration Testing by a consultant and issues are addressed. Adherence to code of conduct Employees are required to adhere to a Dartington Hall Trust code of conduct in relation to electronic systems. Our Staff have received training in General Data Protection Regulations. Ensuring strict adherence from our contractors (third-party data processors) We use approved contractors to build our websites (including CRM). These contractors are subject to strict rules about data access and handling and have access to our servers. Where possible and practical, third-party contractors (processors) are guided by our staff directly and are subject to Non-Disclosure Agreements where personal data protection is concerned. Contractors are expected to run their own physical and technical security to a high standard and have full insurances. We have visited the offices of our contractors and are satisfied that they meet good standards of data security. What third parties we receive data from We work with third party data processors. These organisations help us to fulfil our obligations as a service provider and are themselves subject to their own policies as under law. These organisations include: Email servicesMailChimp. The Rocket Science Group, LLC 675, Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 U.S.A. Online surveysSmartSurvey Ltd. Basepoint Business Centre, Oakfield Close, Tewkesbury, Gloucestershire, GL20 8SD U.K. Print/mailWilliam Pollard & Co Ltd. Oak House, Falcon Road, Exeter, Devon, EX2 7NU U.K. Video conferencing, hosting and webinarsAdobe Systems Europe Ltd. Market House Maidenhead SL6 8AG U.K.Vimeo, Inc. 555 West 18th Street, New York, New York 10011 U.S.A. Website development and hosting technologyAB Multimedia Limited. Registered Office: 9 Richmond Road, Exeter, EX4 4JA U.K.Mentor, 4 West End, Somerset St, Bristol, BS2 8NE Event Management (Commissions only). Arlo: Registered Office: 7 Ward St, Level 2, Lower Hutt 5010 New Zealand Research in Practice reserves the right to change or add to any third-party processors used in providing our services. Changes will be noted in this policy.